Freeradius can't authenticate pptp users from Windows XP to LDAP
tede
legedgard at gmail.com
Thu Oct 8 12:19:39 CEST 2009
Hi,
Sorry to bother, I've been reading almost every post here that talks about
the same problem that I'm encountering, but I didn't find any solution for
my trouble.
Here is the thing, I'm using freeradius + LDAP + pptpd, to authenticate
windows VPN Users.
When I put users Cleartext-password in the freeradius'users file, everything
works fine, but
when I remove this information from users'file and I want that the
authentication to be done
by LDAP database, nothing works.
Here is my users in LDAP database, for tests :
dn: uid=light,ou=vpn,dc=home
objectClass: account
objectClass: simpleSecurityObject
objectClass: radiusprofile
uid: light
cn: The Tester
structuralObjectClass: account
entryUUID: 74eeffe8-47c0-102e-87e0-8d7f2b5bb553
creatorsName:
createTimestamp: 20091007190752Z
userPassword:: dGVzdGVy
entryCSN: 20091007193817.121196Z#000000#000#000000
modifiersName: cn=admin,dc=home
modifyTimestamp: 20091007193817Z
dn: uid=flash,ou=vpn,dc=home
objectClass: account
objectClass: simpleSecurityObject
objectClass: radiusprofile
uid: flash
cn: Second one
userPassword:: dGVzdGVy
structuralObjectClass: account
entryUUID: 6fa73a2e-47c4-102e-8f78-e10206a13f31
creatorsName:
createTimestamp: 20091007193621Z
entryCSN: 20091007193621.607389Z#000000#000#000000
modifiersName:
modifyTimestamp: 20091007193621Z
And there, my Debug from freeradius :
Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3
2009 at 19:16:29
Info: Copyright (C) 1999-2008 The FreeRADIUS server project and
contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius/radiusd.conf
Debug: including configuration file /etc/freeradius/clients.conf
Debug: including configuration file /etc/freeradius/policy.conf
Debug: including files in directory /etc/freeradius/sites-enabled/
Debug: including configuration file /etc/freeradius/sites-enabled/default
Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Debug: including dictionary file /etc/freeradius/dictionary
Debug: main {
Debug: prefix = "/usr"
Debug: localstatedir = "/var"
Debug: logdir = "/var/log/freeradius"
Debug: libdir = "/usr/lib/freeradius"
Debug: radacctdir = "/var/log/freeradius/radacct"
Debug: hostname_lookups = no
Debug: max_request_time = 30
Debug: cleanup_delay = 5
Debug: max_requests = 1024
Debug: allow_core_dumps = no
Debug: pidfile = "/var/run/freeradius/freeradius.pid"
Debug: user = "freerad"
Debug: group = "freerad"
Debug: checkrad = "/usr/sbin/checkrad"
Debug: debug_level = 0
Debug: proxy_requests = yes
Debug: security {
Debug: max_attributes = 200
Debug: reject_delay = 1
Debug: status_server = yes
Debug: }
Debug: }
Debug: client localhost {
Debug: ipaddr = 127.0.0.1
Debug: require_message_authenticator = no
Debug: secret = "hometest"
Debug: nastype = "other"
Debug: }
Debug: client 192.168.0.0/24 {
Debug: require_message_authenticator = no
Debug: secret = "hometest"
Debug: shortname = "private-network-1"
Debug: }
Debug: radiusd: #### Loading Realms and Home Servers ####
Debug: radiusd: #### Instantiating modules ####
Debug: instantiate {
Debug: (Loaded rlm_exec, checking if it's valid)
Debug: Module: Linked to module rlm_exec
Debug: Module: Instantiating exec
Debug: exec {
Debug: wait = yes
Debug: input_pairs = "request"
Debug: shell_escape = yes
Debug: }
Debug: (Loaded rlm_expr, checking if it's valid)
Debug: Module: Linked to module rlm_expr
Debug: Module: Instantiating expr
Debug: (Loaded rlm_expiration, checking if it's valid)
Debug: Module: Linked to module rlm_expiration
Debug: Module: Instantiating expiration
Debug: expiration {
Debug: reply-message = "Password Has Expired "
Debug: }
Debug: (Loaded rlm_logintime, checking if it's valid)
Debug: Module: Linked to module rlm_logintime
Debug: Module: Instantiating logintime
Debug: logintime {
Debug: reply-message = "You are calling outside your allowed timespan "
Debug: minimum-timeout = 60
Debug: }
Debug: }
Debug: radiusd: #### Loading Virtual Servers ####
Debug: server inner-tunnel {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_pap, checking if it's valid)
Debug: Module: Linked to module rlm_pap
Debug: Module: Instantiating pap
Debug: pap {
Debug: encryption_scheme = "auto"
Debug: auto_header = no
Debug: }
Debug: (Loaded rlm_chap, checking if it's valid)
Debug: Module: Linked to module rlm_chap
Debug: Module: Instantiating chap
Debug: (Loaded rlm_mschap, checking if it's valid)
Debug: Module: Linked to module rlm_mschap
Debug: Module: Instantiating mschap
Debug: mschap {
Debug: use_mppe = yes
Debug: require_encryption = no
Debug: require_strong = no
Debug: with_ntdomain_hack = no
Debug: }
Debug: (Loaded rlm_unix, checking if it's valid)
Debug: Module: Linked to module rlm_unix
Debug: Module: Instantiating unix
Debug: unix {
Debug: radwtmp = "/var/log/freeradius/radwtmp"
Debug: }
Debug: (Loaded rlm_ldap, checking if it's valid)
Debug: Module: Linked to module rlm_ldap
Debug: Module: Instantiating ldap
Debug: ldap {
Debug: server = "localhost"
Debug: port = 389
Debug: password = ""
Debug: identity = ""
Debug: net_timeout = 1
Debug: timeout = 4
Debug: timelimit = 3
Debug: tls_mode = no
Debug: start_tls = no
Debug: tls_require_cert = "allow"
Debug: tls {
Debug: start_tls = no
Debug: require_cert = "allow"
Debug: }
Debug: basedn = "ou=vpn,dc=home"
Debug: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Debug: base_filter = "(objectclass=radiusprofile)"
Debug: password_attribute = "userPassword"
Debug: auto_header = yes
Debug: access_attr_used_for_allow = yes
Debug: groupname_attribute = "cn"
Debug: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
Debug: ldap_debug = 0
Debug: ldap_connections_number = 5
Debug: compare_check_items = no
Debug: do_xlat = yes
Debug: edir_account_policy_check = no
Debug: set_auth_type = no
Debug: }
Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
Debug: rlm_ldap: reading ldap<->radius mappings from file
/etc/freeradius/ldap.attrmap
Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP digestHA1 mapped to RADIUS Digest-HA1
Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS
Simultaneous-Use
Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS
Called-Station-Id
Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
Calling-Station-Id
Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP ntHash mapped to RADIUS NT-Hash
Debug: rlm_ldap: LDAP lmHash mapped to RADIUS LM-Hash
Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS
Framed-IP-Address
Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS
Framed-IP-Netmask
Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
Framed-Compression
Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
Framed-IPX-Network
Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
Termination-Action
Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS
Login-LAT-Service
Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
Debug: conns: 0x85f0988
Debug: Module: Checking authorize {...} for more modules to load
Debug: (Loaded rlm_realm, checking if it's valid)
Debug: Module: Linked to module rlm_realm
Debug: Module: Instantiating suffix
Debug: realm suffix {
Debug: format = "suffix"
Debug: delimiter = "@"
Debug: ignore_default = no
Debug: ignore_null = no
Debug: }
Debug: (Loaded rlm_files, checking if it's valid)
Debug: Module: Linked to module rlm_files
Debug: Module: Instantiating files
Debug: files {
Debug: usersfile = "/etc/freeradius/users"
Debug: acctusersfile = "/etc/freeradius/acct_users"
Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users"
Debug: compat = "no"
Debug: }
Debug: Module: Checking session {...} for more modules to load
Debug: (Loaded rlm_radutmp, checking if it's valid)
Debug: Module: Linked to module rlm_radutmp
Debug: Module: Instantiating radutmp
Debug: radutmp {
Debug: filename = "/var/log/freeradius/radutmp"
Debug: username = "%{User-Name}"
Debug: case_sensitive = yes
Debug: check_with_nas = yes
Debug: perm = 384
Debug: callerid = yes
Debug: }
Debug: Module: Checking post-auth {...} for more modules to load
Debug: (Loaded rlm_attr_filter, checking if it's valid)
Debug: Module: Linked to module rlm_attr_filter
Debug: Module: Instantiating attr_filter.access_reject
Debug: attr_filter attr_filter.access_reject {
Debug: attrsfile = "/etc/freeradius/attrs.access_reject"
Debug: key = "%{User-Name}"
Debug: }
Debug: }
Debug: }
Debug: server {
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: Module: Checking authorize {...} for more modules to load
Debug: (Loaded rlm_preprocess, checking if it's valid)
Debug: Module: Linked to module rlm_preprocess
Debug: Module: Instantiating preprocess
Debug: preprocess {
Debug: huntgroups = "/etc/freeradius/huntgroups"
Debug: hints = "/etc/freeradius/hints"
Debug: with_ascend_hack = no
Debug: ascend_channels_per_line = 23
Debug: with_ntdomain_hack = no
Debug: with_specialix_jetstream_hack = no
Debug: with_cisco_vsa_hack = no
Debug: with_alvarion_vsa_hack = no
Debug: }
Debug: Module: Checking preacct {...} for more modules to load
Debug: (Loaded rlm_acct_unique, checking if it's valid)
Debug: Module: Linked to module rlm_acct_unique
Debug: Module: Instantiating acct_unique
Debug: acct_unique {
Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Debug: }
Debug: Module: Checking accounting {...} for more modules to load
Debug: (Loaded rlm_detail, checking if it's valid)
Debug: Module: Linked to module rlm_detail
Debug: Module: Instantiating detail
Debug: detail {
Debug: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
Debug: header = "%t"
Debug: detailperm = 384
Debug: dirperm = 493
Debug: locking = no
Debug: log_packet_header = no
Debug: }
Debug: Module: Instantiating attr_filter.accounting_response
Debug: attr_filter attr_filter.accounting_response {
Debug: attrsfile = "/etc/freeradius/attrs.accounting_response"
Debug: key = "%{User-Name}"
Debug: }
Debug: Module: Checking session {...} for more modules to load
Debug: Module: Checking post-auth {...} for more modules to load
Debug: }
Debug: }
Debug: radiusd: #### Opening IP addresses and Ports ####
Debug: listen {
Debug: type = "auth"
Debug: ipaddr = *
Debug: port = 0
Debug: }
Debug: listen {
Debug: type = "acct"
Debug: ipaddr = *
Debug: port = 0
Debug: }
Debug: main {
Debug: snmp = no
Debug: smux_password = ""
Debug: snmp_write_access = no
Debug: }
Debug: Listening on authentication address * port 1812
Debug: Listening on accounting address * port 1813
Debug: Listening on proxy address * port 1814
Debug: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 42393, id=88,
length=144
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "light"
MS-CHAP-Challenge = 0xb0e4f30555c866750a41eca5b070dd38
MS-CHAP2-Response =
0x0600ee6e8f48c9792c51f31cd89d99b33bdb0000000000000000b2e5571c233fe74a670d9dc9fbc59caf3076ab53eff195fe
Calling-Station-Id = "192.168.0.1"
NAS-IP-Address = 0x0101
NAS-Port = 0
Debug: +- entering group authorize
Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for
request 0
Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for
request 0
Debug: ++[preprocess] returns ok
Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0
Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0
Debug: ++[chap] returns noop
Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Debug: rlm_ldap: - authorize
Debug: rlm_ldap: performing user authorization for light
Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=light)
Debug: expand: ou=vpn,dc=home -> ou=vpn,dc=home
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: attempting LDAP reconnection
Debug: rlm_ldap: (re)connect to localhost:389, authentication 0
Debug: rlm_ldap: bind as / to localhost:389
Debug: rlm_ldap: waiting for bind result ...
Debug: rlm_ldap: Bind was successful
Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter
(uid=light)
Debug: rlm_ldap: No default NMAS login sequence
Debug: rlm_ldap: looking for check items in directory...
Debug: rlm_ldap: looking for reply items in directory...
Debug: WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
Debug: rlm_ldap: user light authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0
Debug: ++[ldap] returns ok
Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0
Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type =
mschap'
Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request
0
Debug: ++[mschap] returns ok
Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0
Debug: rlm_realm: No '@' in User-Name = "light", looking up realm NULL
Debug: rlm_realm: No such realm "NULL"
Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request
0
Debug: ++[suffix] returns noop
Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0
Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0
Debug: ++[unix] returns notfound
Debug: modsingle[authorize]: calling files (rlm_files) for request 0
Debug: modsingle[authorize]: returned from files (rlm_files) for request 0
Debug: ++[files] returns noop
Debug: modsingle[authorize]: calling expiration (rlm_expiration) for
request 0
Debug: modsingle[authorize]: returned from expiration (rlm_expiration) for
request 0
Debug: ++[expiration] returns noop
Debug: modsingle[authorize]: calling logintime (rlm_logintime) for request
0
Debug: modsingle[authorize]: returned from logintime (rlm_logintime) for
request 0
Debug: ++[logintime] returns noop
Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0
Debug: rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0
Debug: ++[pap] returns noop
Debug: rad_check_password: Found Auth-Type mschap
Debug: auth: type "MSCHAP"
Debug: +- entering group MS-CHAP
Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0
Debug: rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
Debug: rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
Debug: rlm_mschap: Told to do MS-CHAPv2 for light with NT-Password
Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for
request 0
Debug: ++[mschap] returns reject
Debug: auth: Failed to validate the user.
Auth: Login incorrect: [light/<via Auth-Type = mschap>] (from client
localhost port 0 cli 192.168.0.1)
Debug: Found Post-Auth-Type Reject
Debug: +- entering group REJECT
Debug: modsingle[post-auth]: calling attr_filter.access_reject
(rlm_attr_filter) for request 0
Debug: expand: %{User-Name} -> light
Debug: attr_filter: Matched entry DEFAULT at line 11
Debug: modsingle[post-auth]: returned from attr_filter.access_reject
(rlm_attr_filter) for request 0
Debug: ++[attr_filter.access_reject] returns updated
Debug: Delaying reject of request 0 for 1 seconds
Debug: Going to the next request
Debug: Waking up in 0.9 seconds.
Debug: Sending delayed reject for request 0
Sending Access-Reject of id 88 to 127.0.0.1 port 42393
Debug: Waking up in 4.9 seconds.
Debug: Cleaning up request 0 ID 88 with timestamp +8
Debug: Ready to process requests.
Thank you very much for your Help.
Tede
--
View this message in context: http://www.nabble.com/Freeradius-can%27t-authenticate-pptp-users-from-Windows-XP-to-LDAP-tp25801493p25801493.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list